mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-19 00:57:48 +00:00
docs(proposals): gRPC outputs goals/non-goals
Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
Leo Di Donato
parent
19f69f4f08
commit
1ee769a76c
49
proposals/20190826-grpc-outputs.md
Normal file
49
proposals/20190826-grpc-outputs.md
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# gRPC Falco Output
|
||||||
|
|
||||||
|
<!-- toc -->
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
We intend to build a gRPC interface to allow users receive and consume the alerts regarding the violated rul.
|
||||||
|
|
||||||
|
## Motivation
|
||||||
|
|
||||||
|
The most valuable information that Falco can give to its users are the alerts.
|
||||||
|
An alert is given by Falco each time a rule is matched.
|
||||||
|
At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping
|
||||||
|
them to standard output.
|
||||||
|
|
||||||
|
For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel]() if we can find a more consumable way to
|
||||||
|
implement Falco outputs in an extensible way.
|
||||||
|
|
||||||
|
The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
|
||||||
|
|
||||||
|
### Goals
|
||||||
|
|
||||||
|
- To design and implement an additional output containing a gRPC client
|
||||||
|
- To keep it as simple as possible
|
||||||
|
- To have a simple contract interface
|
||||||
|
- To only have the responsibility to route Falco output requests and responses
|
||||||
|
- To continue supporting the old output formats by implementing their same interface
|
||||||
|
- To be secure by default
|
||||||
|
- To be asynchronous and non-blocking
|
||||||
|
|
||||||
|
|
||||||
|
### Non-Goals
|
||||||
|
|
||||||
|
- To substitute existing outputs (stdout, syslog, etc.)
|
||||||
|
- To support connecting to multiple gRPC servers
|
||||||
|
- Users can have a single server multiplexing requests to multiple servers
|
||||||
|
- To support queuing mechanisms for message retransmission
|
||||||
|
- Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
|
||||||
|
- To change the output format
|
||||||
|
- To make the message context (text, fields, etc.) and format configurable
|
||||||
|
- Users can already override rules changing their output messages
|
||||||
|
- To act as an orchestrator for Falco instances
|
||||||
|
|
||||||
|
|
||||||
|
## Proposal
|
||||||
|
|
||||||
|
## Design Details
|
||||||
|
|
||||||
|
---
|
||||||
Loading…
Reference in New Issue
Block a user